Sober variant becomes propaganda tool

Below:

Next story in Security

Some e-mail inboxes filled up with German-language spam over the weekend, as the well-traveled Sober virus was apparently turned into a propaganda machine by its author.

Sober has infected millions of computers around the globe since it first launched in 2003, and it's gone through nearly 20 variations. But this weekend's version was different — it wasn't designed to spread itself, or to infect other computers with toxic e-mail messages.

It was designed to simply get a point across.

Some time during the weekend, thousands of Sober-infected machines under the control of the virus writer were instructed to download a new version of the program, called Sober-Q, according to antivirus firm MessageLabs.

The new version turned infected computers into spam machines. The infected computers were then told to send out hundreds of messages, mostly in German, linking to Web pages containing information on conservative German political issues. Many of the e-mails actually linked to legitimate news stories, at Web sites like Der Spiegel Online.

But the worm isn't spreading, and only previously infected computers were at risk of infection, experts said.

"It is a one-time political message," said McAfee's Vincent Gullotto, vice president of the firm's virus research lab.

There are 72 variations of the spam. Some are in English, with crass messages, containing subject lines such as "The Whore Lived Like a German."

But others are obviously laced with politics. Some of the messages bemoan the bombing of Dresden by Allied armies in 1945. The e-mail may be timed to the 60th anniversary of the Allied victory over Nazi Germany, celebrated last week.

Other messages contain arguments against allowing Turkey into the European Union. One message in English links to a story about the politically sensitive topic of alleged Armenian genocide at the hands of the Ottoman Empire, "Armenian Genocide Plagues Ankara 90 Years On." A public apology has been proposed as a condition of Turkey's EU membership.

This technique for sending spam was very effective, spam experts say, because the messages were sent by innocent-looking computers. Most the the messages breezed through spam filters.

"Almost all of the spam e-mails have been sent from otherwise clean IP addresses and will have gone largely undetected by spam filters," said Stephen White, head of anti-spam technical operations at MessageLabs. "It would seem that the virus author has stored up networks of infected machines around the world, holding them on standby to deploy at specific times."

The virus is not considered dangerous, said McAfee's Gullotto. Very few infections have been reported. But it is generating a lot of spam, he said, with some customers receiving hundreds of messages.

Symantec Corp's Alfred Huger estimated that Sober-Q had generated "tens of millions" of spam messages. Each infected machines is probably capable of sending out 10,000 spams per hour, he said.

"To spread a signifcant amount of spam you don't need too many (infected computers)," he said.

This is not the first time a virus has contained a political message, but it is one of the most effective in recent memory, Gullotto said.

"It is generating a lot of spam," he said. "With the success of it, you would expect it to be used again."